aboutsummaryrefslogtreecommitdiffstats
path: root/docker
AgeCommit message (Collapse)AuthorFilesLines
2017-08-15Merge "Do not run clustercheck on the host after O->P upgrade"Jenkins1-0/+6
2017-08-15Merge "Internal TLS support for mongodb container"Jenkins1-7/+45
2017-08-15Merge "Set file mode permission of Ceph keyrings"Jenkins1-5/+1
2017-08-15Merge "Fix parsing of DockerCephDaemonImage parameter"Jenkins1-15/+30
2017-08-14Merge "Enable TLS configuration for containerized Galera"Jenkins1-0/+35
2017-08-14Merge "Fix metadata_settings in containerized mongodb"Jenkins1-0/+2
2017-08-14Merge "Enable TLS for nova api and placement containers"Jenkins2-0/+34
2017-08-14Merge "Make containerized nova-api run with httpd"Jenkins1-6/+3
2017-08-14Set file mode permission of Ceph keyringsJohn Fulton1-5/+1
Pass mode parameter to ceph-ansible in place of ACLs parameter because ACLs are not for same UID in container as container host and because ACLs are not passed by kolla_config. Change-Id: I7e3433eab8e2a62963b623531f223d5abd301d16 Closes-Bug: #1709683
2017-08-14Enable TLS for containerized MySQLJuan Antonio Osorio Robles1-9/+60
Bind mounts and adds the appropriate permissions for the cert and key that's used for TLS. bp tls-via-certmonger-containers Change-Id: I7fae4083604c7dc89ca04141080a228ebfc44ac9
2017-08-14Enable TLS for containerized haproxyJuan Antonio Osorio Robles1-8/+57
This bind mounts the certificates if TLS is enabled in the internal network. It also disables the CRL usage since we can't restart haproxy at the rate that the CRL is updated. This will be addressed later and is a known limitation of using containerized haproxy (there's the same issue in the HA scenario). To address the different UID that the certs and keys will have, I added an extra step that changes the ownership of these files; though this only gets included if TLS in the internal network is enabled. bp tls-via-certmonger-containers Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
2017-08-14Fix metadata_settings in containerized mongodbDamien Ciabrini1-0/+2
The containerized version of the mongodb service omits the metadata_settings definition [1], which confuses certmonger when internal TLS is enabled and make the generation of certificates fail. Use the right setting from the non-containerized profile. [1] https://review.openstack.org/#/c/461780/ Change-Id: I50a9a3a822ba5ef5d2657a12c359b51b7a3a42f2 Closes-Bug: #1709553
2017-08-14Bind mount tripleo.cnf in transient bootstrap containersDamien Ciabrini6-0/+6
Various containerized services (e.g. nova, neutron, heat) run initial set up steps with some ephemeral containers that don't use kolla_start. The tripleo.cnf file is not copied in /etc/my.cnf.d and this can break some deployments (e.g. when using internal TLS, service lack SSL settings). Fix the configuration of transient containers by bind mounting of the tripleo.cnf file when kolla_start is not used. Change-Id: I5246f9d52fcf8c8af81de7a0dd8281169c971577 Closes-Bug: #1710127 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
2017-08-14Containerize virtlogdJiri Stransky2-21/+35
So far we've been using virtlogd running on the host, we should now be using virtlogd from a container. Co-Authored-By: Martin André <m.andre@redhat.com> Co-Authored-By: Jiri Stransky <jistr@redhat.com> Change-Id: I998c69ea1f7480ebb90afb44d6006953a84a1c04
2017-08-12Fix parsing of DockerCephDaemonImage parameterGiulio Fidente1-15/+30
Splitting by colon using native str_split function did not work well because we needed a right split. This change replaces the str_split calls with yaql rightSplit(). Change-Id: Iab2f69a5fadc6b02e2eacf3c9d1a9024b0212ac6
2017-08-12Pass monitor_address_block to ceph-ansible for mon_hostGiulio Fidente1-0/+1
The ip address which clients and other nodes use to connect to the monitors is derived from the monitor_interface parameter unless a monitor_address or monitor_address_block is given (to set mon_host into ceph.conf); this change adds setting for monitor_address_block to match the public_network so that clients attempt to connect to the mons on the appropriate network. Change-Id: I7187e739e9f777eab724fbc09e8b2c8ddedc552d Closes-Bug: #1709485
2017-08-12Merge "Consolidate puppet/docker deployments with one deploy steps workflow"Jenkins4-387/+0
2017-08-12Merge "Correct gnocchi-upgrade command quotes"Jenkins2-4/+14
2017-08-11Correct gnocchi-upgrade command quotesJose Luis Franco Arza2-4/+14
After merging commit 488796, single quotation marks were missed. This causes the upgrade to fail as the flag --sacks-number is considered a su command flag. Also mounts Ceph config data into the container which seems needed for the gnocchi-upgrade command when configured to use Ceph. Also move the gnocchi db sync to step 4, so ceph is ready. Add a retry loop to ceilometer-upgrade cmd so it doesnt fail while apache is restarted. Closes-Bug: #1709322 Change-Id: I62f3a5fa2d43a2cd579f72286661d503e9f08b90
2017-08-11Consolidate puppet/docker deployments with one deploy steps workflowSteven Hardy4-387/+0
If we consolidate these we can focus on one implementation (the new ansible based one used for docker-steps) Change-Id: Iec0ad2278d62040bf03613fc9556b199c6a80546 Depends-On: Ifa2afa915e0fee368fb2506c02de75bf5efe82d5
2017-08-11Internal TLS support for mongodb containerJuan Antonio Osorio Robles1-7/+45
This bind mounts the necessary files for the mongodb container to serve TLS in the internal network. bp tls-via-certmonger-containers Change-Id: Ieef2a456a397f7d5df368ddd5003273cb0bb7259 Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
2017-08-11Enable TLS for nova api and placement containersJuan Antonio Osorio Robles2-0/+34
With these two services running over httpd in the containers, we can now enable TLS for them. bp tls-via-certmonger-containers Change-Id: Ib8fc37a391e3b32feef0ac6492492c0088866d21
2017-08-11Make containerized nova-api run with httpdJuan Antonio Osorio Robles1-6/+3
The non-containerized version will run over httpd [1], and for the containerized TLS work, it is needed in the container version as well. [1] Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3 bp tls-via-certmonger-containers Depends-On: I1c5f13039414f17312f91a5e0fd02019aa08e00e Change-Id: I2c39a2957fd95dd261b5b8c4df5e66e00a68d2f7
2017-08-11Enable TLS configuration for containerized GaleraDamien Ciabrini1-0/+35
In non-containerized deployments, Galera can be configured to use TLS for gcomm group communication when enable_internal_tls is set to true. Fix the metadata service definition and update the Kolla configuration to make gcomm use TLS in containers, if configured. bp tls-via-certmonger-containers Change-Id: Ibead27be81910f946d64b8e5421bcc41210d7430 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Closes-Bug: #1708135 Depends-On: If845baa7b0a437c28148c817b7f94d540ca15814
2017-08-10Mount NFS volume to docker container.Pranali Deore1-0/+11
After creating glance image successfully, share location was remaining empty because the NFS volume on controller was not mounted to docker container. Now, connecting NFS volume to the docker container. Change-Id: Ib45f117cbbf2b7b2c0faf024e9a8b049c440d872 Closes-Bug: 1708629
2017-08-09Enable TLS configuration for containerized HAProxyDamien Ciabrini1-5/+52
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files are all passed as configuration files and must be copied by Kolla at container startup. For the time being, disable the use of the CRL file until we find a means of restarting the containerized HAProxy service when that file expires. Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255 Closes-Bug: #1709563
2017-08-09Set virsh secret with an init step when using CephGiulio Fidente1-4/+52
Run virsh secret-define and secret-set-value in an init step instead of relying on the puppet-nova exec. Co-Authored-By: Jiri Stransky <jistr@redhat.com> Change-Id: Ic950e290af1c66d34b40791defbdf4f8afaa11da Closes-Bug: #1709583
2017-08-09Enable TLS configuration for containerized RabbitMQDamien Ciabrini1-0/+15
In non-containerized deployments, RabbitMQ can be configured to use TLS for serving and mirroring traffic. Fix the creation of the rabbitmq bundle resource to enable TLS when configured. The key and cert are passed as other configuration files and must be copied by Kolla at container startup. Change-Id: I8af63a1cb710e687a593505c0202d717842d5496 Depends-On: Ia64d79462de7012e5bceebf0ffe478a1cccdd6c9 Closes-Bug: #1709558
2017-08-08Merge "MariaDB: create clustercheck user at container bootstrap"Jenkins1-1/+22
2017-08-04Merge "Run gnocchi upgrade with sacks in docker template"Jenkins1-1/+9
2017-08-04Merge "Fix up multipath docker indentation"Jenkins1-5/+5
2017-08-03Remove baremetal cron jobs on docker upgradeDan Prince4-0/+16
Change-Id: I072a3f582cdb978187d14233ea1ba636d12a1293 Closes-bug: #1708466
2017-08-03Merge "Fix CA file bind mounting in containers"Jenkins1-1/+5
2017-08-03Merge "Cinder volume/backup containers shouldn't mount two paths at same point"Jenkins2-2/+0
2017-08-03Merge "Fix keystone, cinder, heat-api cron containers"Jenkins3-1/+7
2017-08-02Fix up multipath docker indentationMichele Baldessari1-5/+5
Deploying a multipathd container gives the following error: failed: [localhost] (item={'key': u'config_files', 'value': [{u'dest': u'/', u'merge': True, u'source': u'/var/lib/kolla/config_files/src-iscsid/*', u'preserve_properties': True}]}) => {\"checksum\": \"72ad81489381571c5043b7613f6828b06ae364bd\", \"failed\": true, \"item\": {\"key\": \"config_files\", \"value\": [{\"dest\": \"/\", \"merge\": true, \"preserve_properties\": true, \"source\": \"/var/lib/kolla/config_files/src-iscsid/*\"}]}, \"msg\": \"Destination directory does not exist\"} The reason is the wrong indentation of the config_files key in the multipath docker service. Change-Id: I0e1fbb9eb188a903994b9e5da90ab4a6fb81f00a Closes-Bug: #1708129
2017-08-02Cinder volume/backup containers shouldn't mount two paths at same pointJohn Fulton2-2/+0
Docker refuses to start the container because config_files/src-ceph:ro is mounted at both /etc/ceph and config-data/puppet-generated/ceph. The mount to /var/lib/config-data/puppet-generated/ceph should have been removed in commit ed0b77ff93a1a1e071d32f6a758e04c6d0b041ef. Change-Id: I411b4764a54fc21e97e4c41a5fef00c7e6e2b64d Closes-Bug: #1707956
2017-08-02Merge "Remove empty metadata_settings from iscsid and multipathd templates"Jenkins2-2/+0
2017-08-01Merge "Generate MySQL client config if service requires database"Jenkins42-100/+280
2017-08-01Run gnocchi upgrade with sacks in docker templatePradeep Kilambi1-1/+9
Without this gnocchi is not initializing the sacks like puppet does and gnocchi containers dont respond properly. Change-Id: I2c53b00793f99420fd12ccc0b5646cf21d528e46
2017-08-01Merge "Add missing metadata_settings from docker services"Jenkins3-0/+6
2017-08-01Fix keystone, cinder, heat-api cron containersDan Prince3-1/+7
The cron containers need to run as root in order to create PID files correctly. Additionally, the keystone_cron container was misconfigured to use /usr/bin/cron instead of the correct /usr/bin/crond. Additionally we have an issue where the Kolla keystone container has hard coded ARGS for the docker container which causes -DFOREGROUND (an Apache specific argument) to get appended onto the kolla_start command thus causing crond to fail to startup correctly. This works around the issue by overriding the command and calling kolla_set_configs manually. Once we fix this in Kolla we can revisit this. Change-Id: Ib8fb2bef9a3bb89131265051e9ea304525b58374 Related-bug: 1707785
2017-08-01Fix CA file bind mounting in containersJuan Antonio Osorio Robles1-1/+5
The syntax was wrong and wasn't actually bind mounting the CA file. This fixes it. Change-Id: Icfa2118ccd2a32fdc3d1af27e3e3ee02bdfbb13b
2017-08-01Remove empty metadata_settings from iscsid and multipathd templatesJuan Antonio Osorio Robles2-2/+0
metadata_settings is meant to have a specific format or be completely absent. Unfortunately the hook [1] doesn't an empty value for this. So we remove it as an easy fix before figuring out how to add such a functionality to the hook. [1] https://github.com/openstack/tripleo-heat-templates/blob/master/extraconfig/nova_metadata/krb-service-principals.yaml Co-Authored-By: Thomas Herve <therve@redhat.com> Change-Id: Ieac62a8076e421b5c4843a3cbe1c8fa9e3825b38
2017-07-31MariaDB: create clustercheck user at container bootstrapDamien Ciabrini1-1/+22
In HA overclouds, the helper script clustercheck is called by HAProxy to poll the state of the galera cluster. Make sure that a dedicated clustercheck user is created at deployment, like it is currently done in Ocata. The creation of the clustercheck user happens on all controller nodes, right after the database creation. This way, it does not need to wait for the galera cluster to be up and running. Partial-Bug: #1707683 Change-Id: If8e0b3f9e4f317fde5328e71115aab87a5fa655f
2017-07-31Merge "Fix creation of iptables rules for non-HA containerized HAproxy"Jenkins1-2/+38
2017-07-31Add missing metadata_settings from docker servicesJuan Antonio Osorio Robles3-0/+6
These are needed for the TLS everywhere bits. Change-Id: I81fcf453fc1aaa2545e0ed24013f0f13b240a102
2017-07-28Merge "Also log docker-puppet.py puppet output to console"Jenkins1-1/+1
2017-07-28Merge "Enable Zaqar API SSL"Jenkins1-0/+17
2017-07-28Also log docker-puppet.py puppet output to consoleBogdan Dobrelya1-1/+1
Running puppet apply with --logdest syslog results in all the output being redirected to syslog. You get no error messages. In the case where this fails, the subsequent debug task shows nothing useful as there was no stdout/stderr. Also pass --logdest console to docker-puppet's puppet apply so that we get the output for the debug task. Related-Bug: #1707030 Change-Id: I67df5eee9916237420ca646a16e188f26c828c0e Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>